Mysterious directories appearing

  • Thread starter Thread starter Darren Tam
  • Start date Start date
D

Darren Tam

Hello,

I have several folders under Program Files which have
mysteriously appeared. They are:

ANOGramHeart
ANOGramHEARTPROGRAM
ante
ANTEHEART
ANTEHEARTPROGRAM
ANTEPEARTprogram
AROGramHEart
AROGramHEARTPROGRAM
HEARTheart
HEARThePROGRAM
PNoEramheart
PNoEramheartPROGRAM
PNOGramHEart
PNOGramHEARTPROGRAM
PNTE
PNTgHEart
PNTgHEARTPROGRAM
PNTGramhEaar
PNTGramhEAARPROGRAM
PNTGramheart
PNTGramHEARTPROGRAM
PROEHEArt
PROEHEARTPROGRAM
ProEramheart
ProEramheartPROGRAM
ProgHEahe
ProgHEAheart
ProgHEAHEartPROGRAM
ProgHEAHEPROGRAM
ProgHEAREart
ProgHEAREartPROGRAM
PROGHEART
PROGHEARTPROGRAM
PROGramheart
PROGramHEARTPROGRAM
PROGREArt
PROGREARTPROGRAM
PrTEramheart
PrTEramheartPROGRAM
PRTGRAMheart
PRTGRAMHEARTPROGRAM

They all contain just one file each - and the same file
at that, called "find scr live.dat"

As you can imagine, this is very worrying. The sheer
number of these folders and the names suggest some sort
of malware is taking over my PC. I have run Ad-Aware with
the latest virus definitions but it detected nothing.

There is also a mysearch toolbar on IE which I cannot
seem to get rid of - is this related?

Any help in this matter would be much appreciated.

Many thanks and kind regards,

Darren
 
Darren Tam said in news:[email protected]:
Hello,

I have several folders under Program Files which have
mysteriously appeared. They are:

ANOGramHeart
ANOGramHEARTPROGRAM
ante
ANTEHEART
ANTEHEARTPROGRAM
ANTEPEARTprogram
AROGramHEart
AROGramHEARTPROGRAM
HEARTheart
HEARThePROGRAM
PNoEramheart
PNoEramheartPROGRAM
PNOGramHEart
PNOGramHEARTPROGRAM
PNTE
PNTgHEart
PNTgHEARTPROGRAM
PNTGramhEaar
PNTGramhEAARPROGRAM
PNTGramheart
PNTGramHEARTPROGRAM
PROEHEArt
PROEHEARTPROGRAM
ProEramheart
ProEramheartPROGRAM
ProgHEahe
ProgHEAheart
ProgHEAHEartPROGRAM
ProgHEAHEPROGRAM
ProgHEAREart
ProgHEAREartPROGRAM
PROGHEART
PROGHEARTPROGRAM
PROGramheart
PROGramHEARTPROGRAM
PROGREArt
PROGREARTPROGRAM
PrTEramheart
PrTEramheartPROGRAM
PRTGRAMheart
PRTGRAMHEARTPROGRAM

They all contain just one file each - and the same file
at that, called "find scr live.dat"

As you can imagine, this is very worrying. The sheer
number of these folders and the names suggest some sort
of malware is taking over my PC. I have run Ad-Aware with
the latest virus definitions but it detected nothing.

There is also a mysearch toolbar on IE which I cannot
seem to get rid of - is this related?

Any help in this matter would be much appreciated.

Many thanks and kind regards,

Darren
Click to expand...

Even after doing an update, take a look at the detection signatures
datestamp. It's almost 2 months old. Lots of crap gets written or mutated
in that time. Ad-Aware, and Spybot, do NOT detect viruses. They detect
spyware. You made no mention of doing a full scan using a recently updated
anti-virus product. Sure looks like you have been infected.
 
Hi,

Thanks for the reply.

Sorry - I got a little mixed up in my message. I did a
full scan using Ad-Aware with the latest update of
spyware definitions.

I have also since then done a full scan with Norton
Antivirus (also with the latest virus definitions) and
yet both came up with nothing - no spyware detected by Ad-
Aware and no viruses detected by Norton.

Does anyone know if it is safe to delete the folders? I
have tried deleting them, but within one of the folders
(ANTEHEARTPROGRAM) is a .dll file named "Cake City.dll"
and when I try to delete this folder, the error
message "Cannot delete: Access denied. Make sure the disc
is not full, write protected or currently in use" comes
up.

Any help in resolving the matter would be much
appreciated.

Many thanks,

Darren
 
Darren Tam said in news:[email protected]:
Sorry - I got a little mixed up in my message. I did a
full scan using Ad-Aware with the latest update of
spyware definitions.

I have also since then done a full scan with Norton
Antivirus (also with the latest virus definitions) and
yet both came up with nothing - no spyware detected by Ad-
Aware and no viruses detected by Norton.

Does anyone know if it is safe to delete the folders? I
have tried deleting them, but within one of the folders
(ANTEHEARTPROGRAM) is a .dll file named "Cake City.dll"
and when I try to delete this folder, the error
message "Cannot delete: Access denied. Make sure the disc
is not full, write protected or currently in use" comes
up.
Click to expand...

You could use the FileMon utility from SysInternals and filter on just the
files you want to watch to see what process is writing to them. Or use
Foundstone's FileWatch to monitor a particular file.

If the file is currently inuse, see if SysInternals' 'handle' utility tells
you who has a handle on the open file.
 
If you are told "Access Denied", then reboot into safe
mode and you will be able to delete them.
To get into safe mode just hit the F5 or F8 key when your
computer restarts.....Good Luck.
 
Darren Tam said:
Hi, ....

Does anyone know if it is safe to delete the folders? I
have tried deleting them, but within one of the folders
(ANTEHEARTPROGRAM) is a .dll file named "Cake City.dll"
and when I try to delete this folder, the error
message "Cannot delete: Access denied. Make sure the disc
is not full, write protected or currently in use" comes
up.
Click to expand...
....

If you're afraid to try to delete (and restore if they're
needed), you can accomplish the same effect by renaming the
folders. Use something easy so you can put them back to
usability if they're needed (which I don't think they are
unless you're a game player).
Rename example: folder1 ===> folder_1
folder2 ===> folder_2
etc. If nothing breaks, then you can get rid of them or
archive them in case they turn up as needed later on. Since
there are so many, just start renaming a few of them at a
time each time you log on or are ready to log off; makes it
less painful. To Rename, just right click and choose
Rename.

Usually you can also delete files like that from Safe Mode.
F8 during boot usually lets you get into Safe Mode.

If that won't work, you're about certain to be able to
delete them from a Command (DOS) prompt using DEL. Help is
available here for all of that should you need it.

Pop
 
Back
Top